You could modify the permissions on the shortcut to read-only except for admins.
> -----Original Message----- > From: scott [gts] [mailto:[EMAIL PROTECTED]] > Sent: Friday, October 26, 2001 3:33 PM > To: security-basics > Subject: RE: permission for nero > > > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Couldn't an ordinary user exploit this by simply modifying > your shortcut (or creating a new shortcut) that replaces > "C:\...\NERO.EXE" with a program of his choice? Assuming the > "RunNERO" account is in group Administrator, i'd imagine that > quite a lot of damage could be easily done to a system. > > > -----Original Message----- > > From: Mark Medici [mailto:[EMAIL PROTECTED]] > > Subject: RE: permission for nero > > > > > create a service that runs the nero executable - run the service > > > with the local admin (localsystem might work, too). Then > grant the > > > users Start/Stop/Pause permissions for the service. > > > > Seems kind of messy. Then again, it might work just as well as my > > solution: > > > > Under Windows/2000 you can use RUNAS to start a program as another > > user. I've done this on my home PC to allow my son to run certain > > programs that demand ADMINISTRATOR rights. In fact, Nero is one of > > these programs. > > > > Basically, you setup a specific account to be used as the RUNAS > > account, making that account a member of ADMINISTRATORS. > You modify > > the shortcut to the application to run "c:\winnt\system32\RUNAS.exe > > /user:RunNERO c:\Progra~1\nero\NERO.EXE". When invoked, a > dialog box > > will appear prompting for a password. > > > > Some work may be required to secure this account from abuse. In my > > home environment, I deleted everything from the RunNERO > profile except > > for the STARTUP program group, and that contains a > LOGOUT.EXE command, > > and restricted login to that single workstation. More could (and > > should) be done in a production environment. Fortunately, my son > > isn't a hacker, and hasn't figured out how to exploit this > > vulnerability (yet!) > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 7.0.3 for non-commercial use <http://www.pgp.com> > > iQA/AwUBO9m6W8aXTGgZdrSUEQLC8gCgnK6aHWeyaE+5C6UEWZj8bPsC/WwAnj/9 > nxtSRN4Rmh0uWphgAZkGpO3a > =Pfrd > -----END PGP SIGNATURE----- > >
